Description
Stefan Horst of SektionEins GmbH reported a critical pre-auth SQL injection vulnerability in Drupal core 7.x versions prior to 7.32. Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
Remediation
It is recommended to upgrade to the latest version of Drupal. (This issue was fixed in version 7.32).
References
Related Vulnerabilities
WordPress Plugin WP Google Maps SQL Injection (7.11.17)
WordPress Plugin All-In-One Security (AIOS)-Security and Firewall SQL Injection (3.8.7)
WordPress Plugin Permalink Manager Lite SQL Injection (2.2.12)
WordPress Plugin Tutor LMS-eLearning and online course solution SQL Injection (2.7.0)
WordPress Plugin Advertizer 'id' Parameter SQL Injection (1.0)